US11689545B2ActiveUtilityA1

Performing cybersecurity operations based on impact scores of computing events over a rolling time interval

88
Assignee: VMWARE INCPriority: Jan 16, 2021Filed: Jan 16, 2021Granted: Jun 27, 2023
Est. expiryJan 16, 2041(~14.5 yrs left)· nominal 20-yr term from priority
G06F 16/245H04L 63/20H04L 63/0263H04L 63/1416H04L 63/1441H04L 63/1433G06N 5/04G06N 7/01
88
PatentIndex Score
2
Cited by
24
References
20
Claims

Abstract

The disclosure herein describes automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval. Event data is obtained, wherein the event data is from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval. Event impact scores are calculated for the computing events of the obtained event data over the time interval based at least on cardinality estimation. The calculated event impact scores are merged into the set of aggregated event impact scores associated with the rolling time interval and event impact scores associated with an expired time interval are removed from the set of aggregated event impact scores. Based on the set of aggregated event impact scores, at least one security operation is performed for at least one computing event.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval, the method comprising:
 obtaining, by a processor, event data from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval; 
 calculating, by the processor, event impact scores for the computing events of the obtained event data over the time interval based at least on cardinality estimation; 
 merging, by the processor, the calculated event impact scores into a set of aggregated event impact scores for computing events associated with the rolling time interval; 
 removing, by the processor, event impact scores of computing events associated with an expired time interval from the set of aggregated event impact scores; and 
 performing, by the processor, at least one security operation for at least one computing event based on the set of aggregated event impact scores. 
 
     
     
       2. The method of  claim 1 , the method further comprising initializing, by the processor, the set of aggregated event impact scores prior to obtaining event data associated with computing events during the time interval, the initializing including:
 identifying, by the processor, the rolling time interval based on a defined rolling time interval length; 
 dividing, by the processor, the rolling time interval into a set of consecutive subintervals; and 
 for each subinterval in the set of consecutive subintervals:
 obtaining, by the processor, event data associated with computing events occurring during the subinterval; 
 calculating, by the processor, event impact scores for the computing events of the obtained event data associated with the subinterval based at least on cardinality estimation; and 
 merging, by the processor, the calculated event impact scores associated with the subinterval into the set of aggregated event impact scores for computing events associated with the rolling time interval. 
 
 
     
     
       3. The method of  claim 1 , wherein calculating an event impact score for a computing event of the computing events includes:
 determining a probabilistic cardinality estimate of the computing event based on the event data; 
 counting an alert quantity associated with the computing event in the event data; 
 applying a first weight factor value to the determined probabilistic cardinality estimate to form a weighted cardinality estimate; 
 applying a second weight factor value to the counted alert quantity to form a weighted alert quantity; and 
 combining the weighted cardinality estimate and the weighted alert quantity to form the event impact score of the computing event. 
 
     
     
       4. The method of  claim 1 , wherein merging the calculated event impact scores into the set of aggregated event impact scores includes:
 based on the calculated event impact scores including an impact score for an event for which the set of aggregated event impact scores lacks an impact score, adding the event and associated impact score into the set of aggregated event impact scores; and 
 based on the calculated event impact scores and the set of aggregated event impact scores including impact scores for the event, updating the impact score of the event in the set of aggregated event impact scores based on the impact score of the event in the calculated event impact scores. 
 
     
     
       5. The method of  claim 1 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in other systems; 
 sending a recommendation of the obtained event rule to the client system; and 
 based on acceptance of the sent recommendation, enabling the obtained event rule on the client system. 
 
     
     
       6. The method of  claim 1 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in a quantity of other systems that exceeds a defined system prevalence threshold; and 
 based on the identified aggregated event impact score exceeding the defined impact score threshold and the obtained event rule exceeding the defined system prevalence threshold, automatically enabling the obtained event rule on the client system. 
 
     
     
       7. The method of  claim 1 , wherein calculating event impact scores based at least on cardinality estimation includes using a HyperLogLog algorithm to generate a probabilistic cardinality estimate of a quantity of unique computing devices in the client system upon which a computing event occurred during the time interval based on the event data. 
     
     
       8. A computer system for automatically performing security operations associated with a client system based on aggregated event impact scores of computing events during a rolling time interval, the computer system comprising:
 a processor; and 
 a non-transitory computer readable medium having stored thereon program code for transferring data to another computer system, the program code causing the processor to: 
 obtain event data from a plurality of computing devices of the client system associated with computing events occurring during a time interval after an endpoint of the rolling time interval; 
 calculate event impact scores for the computing events of the obtained event data over the time interval based at least on cardinality estimation; 
 merge the calculated event impact scores into a set of aggregated event impact scores for computing events associated with the rolling time interval; 
 remove event impact scores of computing events associated with an expired time interval from the set of aggregated event impact scores; and 
 perform at least one security operation for at least one computing event based on the set of aggregated event impact scores. 
 
     
     
       9. The computer system of  claim 8 , wherein the program code further causes the processor to initialize the set of aggregated event impact scores prior to obtaining event data associated with computing events during the time interval, wherein initializing the set of aggregated event impact scores includes:
 identifying the rolling time interval based on a defined rolling time interval length; 
 dividing the rolling time interval into a set of consecutive subintervals; and 
 for each subinterval in the set of consecutive subintervals:
 obtaining event data associated with computing events occurring during the subinterval; 
 calculating event impact scores for the computing events of the obtained event data associated with the subinterval based at least on cardinality estimation; and 
 merging the calculated event impact scores associated with the subinterval into the set of aggregated event impact scores for computing events associated with the rolling time interval. 
 
 
     
     
       10. The computer system of  claim 8 , wherein calculating an event impact score for a computing event of the computing events includes:
 determining a probabilistic cardinality estimate of the computing event based on the event data; 
 counting an alert quantity associated with the computing event in the event data; 
 applying a first weight factor value to the determined probabilistic cardinality estimate to form a weighted cardinality estimate; 
 applying a second weight factor value to the counted alert quantity to form a weighted alert quantity; and 
 combining the weighted cardinality estimate and the weighted alert quantity to form the event impact score of the computing event. 
 
     
     
       11. The computer system of  claim 8 , wherein merging the calculated event impact scores into the set of aggregated event impact scores includes:
 based on the calculated event impact scores including an impact score for an event for which the set of aggregated event impact scores lacks an impact score, adding the event and associated impact score into the set of aggregated event impact scores; and 
 based on the calculated event impact scores and the set of aggregated event impact scores including impact scores for the event, updating the impact score of the event in the set of aggregated event impact scores based on the impact score of the event in the calculated event impact scores. 
 
     
     
       12. The computer system of  claim 8 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in other systems; 
 sending a recommendation of the obtained event rule to the client system; and 
 based on acceptance of the sent recommendation, enabling the obtained event rule on the client system. 
 
     
     
       13. The computer system of  claim 8 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in a quantity of other systems that exceeds a defined system prevalence threshold; and 
 based on the identified aggregated event impact score exceeding the defined impact score threshold and the obtained event rule exceeding the defined system prevalence threshold, automatically enabling the obtained event rule on the client system. 
 
     
     
       14. The computer system of  claim 8 , wherein calculating event impact scores based at least on cardinality estimation includes using a HyperLogLog algorithm to generate a probabilistic cardinality estimate of a quantity of unique computing devices in the client system upon which a computing event occurred during the time interval based on the event data. 
     
     
       15. A non-transitory computer storage medium having stored thereon program code executable by a first computer system at a first site, the program code embodying a method comprising:
 obtaining event data from a plurality of computing devices of a client system associated with computing events occurring during a time interval after an endpoint of a rolling time interval; 
 calculating event impact scores for the computing events of the obtained event data over the time interval based at least on cardinality estimation; 
 merging the calculated event impact scores into a set of aggregated event impact scores for computing events associated with the rolling time interval; 
 removing event impact scores of computing events associated with an expired time interval from the set of aggregated event impact scores; and 
 performing at least one security operation for at least one computing event based on the set of aggregated event impact scores. 
 
     
     
       16. The non-transitory computer storage medium of  claim 15 , wherein the method embodied by the program code further comprises initializing the set of aggregated event impact scores prior to obtaining event data associated with computing events during the time interval, the initializing including:
 Identifying the rolling time interval based on a defined rolling time interval length; 
 dividing the rolling time interval into a set of consecutive subintervals; and 
 for each subinterval in the set of consecutive subintervals:
 obtaining event data associated with computing events occurring during the subinterval; 
 calculating event impact scores for the computing events of the obtained event data associated with the subinterval based at least on cardinality estimation; and 
 merging the calculated event impact scores associated with the subinterval into the set of aggregated event impact scores for computing events associated with the rolling time interval. 
 
 
     
     
       17. The non-transitory computer storage medium of  claim 15 , wherein calculating an event impact score for a computing event of the computing events includes:
 determining a probabilistic cardinality estimate of the computing event based on the event data; 
 counting an alert quantity associated with the computing event in the event data; 
 applying a first weight factor value to the determined probabilistic cardinality estimate to form a weighted cardinality estimate; 
 applying a second weight factor value to the counted alert quantity to form a weighted alert quantity; and 
 combining the weighted cardinality estimate and the weighted alert quantity to form the event impact score of the computing event. 
 
     
     
       18. The non-transitory computer storage medium of  claim 15 , wherein merging the calculated event impact scores into the set of aggregated event impact scores includes:
 based on the calculated event impact scores including an impact score for an event for which the set of aggregated event impact scores lacks an impact score, adding the event and associated impact score into the set of aggregated event impact scores; and 
 based on the calculated event impact scores and the set of aggregated event impact scores including impact scores for the event, updating the impact score of the event in the set of aggregated event impact scores based on the impact score of the event in the calculated event impact scores. 
 
     
     
       19. The non-transitory computer storage medium of  claim 15 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in other systems; 
 sending a recommendation of the obtained event rule to the client system; and 
 based on acceptance of the sent recommendation, enabling the obtained event rule on the client system. 
 
     
     
       20. The non-transitory computer storage medium of  claim 15 , wherein performing at least one security operation for at least one computing event based on the set of aggregated event impact scores includes:
 identifying an aggregated event impact score of the set of aggregated event impact scores that is associated with a computing event of the computing events and that exceeds a defined impact score threshold; 
 obtaining an event rule configured to trigger a security operation based on detection of the computing event, wherein the obtained event rule is in use in a quantity of other systems that exceeds a defined system prevalence threshold; and 
 based on the identified aggregated event impact score exceeding the defined impact score threshold and the obtained event rule exceeding the defined system prevalence threshold, automatically enabling the obtained event rule on the client system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.